Unit42 states that HelloKitty is a ransomware family that first surfaced at the end of 2020, primarily targeting Windows systems. The malware family got its name due to its use of a Mutex with the same name: HelloKittyMutex. The ransomware samples seem to evolve quickly and frequently, with different versions making use of the .crypted or .kitty file extensions for encrypted files. Some newer samples make use of a Golang packer that ensures the final ransomware code is only loaded in memory, most likely to evade detection by security solutions.
| Title | Available | Last Visit | FQDN | Screenshot |
|---|---|---|---|---|
| News | 🔴 | 2021-10-02 15:17:11.282676 | 3r6n77mpe737w4sbxxxrpc5phbluv6xhtdl5ujpnlvmck5tc7blq2rqd.onion | N/A |
| Employees(s) | Customer(s) | Third Party Employee(s) |
|---|---|---|
This information is provided by HudsonRock
rule ransom_Linux_HelloKitty_0721 {
meta:
description = "rule to detect Linux variant of the Hello Kitty Ransomware"
author = "Christiaan @ ATR"
date = "2021-07-19"
Rule_Version = "v1"
malware_type = "ransomware"
malware_family = "Ransom:Linux/HelloKitty"
hash1 = "ca607e431062ee49a21d69d722750e5edbd8ffabcb54fa92b231814101756041"
hash2 = "556e5cb5e4e77678110961c8d9260a726a363e00bf8d278e5302cb4bfccc3eed"
strings:
$v1 = "esxcli vm process kill -t=force -w=%d" fullword ascii
$v2 = "esxcli vm process kill -t=hard -w=%d" fullword ascii
$v3 = "esxcli vm process kill -t=soft -w=%d" fullword ascii
$v4 = "error encrypt: %s rename back:%s" fullword ascii
$v5 = "esxcli vm process list" fullword ascii
$v6 = "Total VM run on host:" fullword ascii
$v7 = "error lock_exclusively:%s owner pid:%d" fullword ascii
$v8 = "Error open %s in try_lock_exclusively" fullword ascii
$v9 = "Mode:%d Verbose:%d Daemon:%d AESNI:%d RDRAND:%d " fullword ascii
$v10 = "pthread_cond_signal() error" fullword ascii
$v11 = "ChaCha20 for x86_64, CRYPTOGAMS by <appro@openssl.org>" fullword ascii
condition:
( uint16(0) == 0x457f and filesize < 200KB and ( 8 of them )
) or ( all of them )
}